OLS-1775: Postgres reconciliation on certificate rotation. #998

sriroopar · 2025-09-23T19:00:54Z

Description

Functionality has been added in order to ensure that the reconciliation happens in the postgres pod by watching the config for deletion of ca certs. This will allow the e2e test to run successfully.

Type of change

Related Tickets & Documents

Related Issue OLS-1775
Closes #

Checklist before requesting a review

I have performed a self-review of my code.
PR has passed all pre-merge test jobs.
If it is a core feature, I have added thorough tests.

Testing

Please provide detailed steps to perform tests related to this code change.
Functionality was verified by watching reconciliation activity when ca cert was intentionally deleted.
How were the fix/results from this change verified? Please provide relevant screenshots or results.

The fix was verified by deleting the olsconfig-service-ca signing-key certificate/ olsconfig ca.crt configmap, and the pods were observed for rollouts with updated cert.

openshift-ci-robot · 2025-09-23T19:00:58Z

sriroopar · 2025-09-24T16:42:53Z

/retest

sriroopar · 2025-09-24T16:44:30Z

/retest

sriroopar · 2025-09-24T17:11:34Z

/retest

sriroopar · 2025-09-24T19:33:23Z

/retest

sriroopar · 2025-09-29T01:22:45Z

/test bundle-e2e-4-18

openshift-ci-robot · 2025-10-01T12:26:15Z

syedriko · 2025-10-13T16:59:17Z

@sriroopar could you squash the commits, please?

openshift-ci · 2025-10-13T17:25:54Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign bparees for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

sriroopar · 2025-10-13T18:16:54Z

/retest

sriroopar · 2025-10-13T19:40:44Z

/retest

openshift-ci · 2025-10-13T20:21:35Z

@sriroopar: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/bundle-e2e-4-18	`51d0e9d`	link	true	`/test bundle-e2e-4-18`

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

sriroopar · 2025-10-13T20:24:03Z

/retest

internal/controller/ols_app_postgres_reconciliator.go

internal/controller/ols_app_postgres_assets.go

internal/controller/ols_app_postgres_reconciliator.go

internal/controller/ols_app_server_deployment.go

internal/controller/ols_app_server_reconciliator.go

internal/controller/ols_app_postgres_reconciliator.go

internal/controller/resource_watchers.go

internal/controller/ols_app_postgres_reconciliator.go

syedriko · 2025-10-15T02:31:59Z

/lgtm

#Updating hash trigger.

syedriko · 2025-10-15T19:16:29Z

/lgtm

xrajesh · 2025-10-29T01:56:05Z

internal/controller/constants.go

 	PostgresSecretHashKey = "hash/postgres-secret"
+	// PostgresCAHashKey is the key of the hash value of the OLS Postgres CA certificate
+	PostgresCAHashKey = "hash/postgres-ca"
+	// PostgresServiceCACertKey is the key for the service CA certificate in the ConfigMap


Update the name of the configmap

xrajesh · 2025-10-29T01:56:21Z

internal/controller/constants.go

+	PostgresCAHashKey = "hash/postgres-ca"
+	// PostgresServiceCACertKey is the key for the service CA certificate in the ConfigMap
+	PostgresServiceCACertKey = "service-ca.crt"
+	// PostgresTLSCertKey is the key for the TLS certificate in the Secret


Update the name of the Secret

xrajesh · 2025-10-29T02:05:10Z

internal/controller/ols_app_postgres_assets.go

+	storage := &olsv1alpha1.Storage{}
+	if cr.Spec.OLSConfig.Storage != nil {
+		storage = cr.Spec.OLSConfig.Storage.DeepCopy()
+	}


@sriroopar Not sure what triggered to make the above lines part of this PR - looks unrelated - change is valid though.

xrajesh · 2025-10-29T03:07:44Z

internal/controller/olsconfig_controller.go

 	return ctrl.NewControllerManagedBy(mgr).
 		For(&olsv1alpha1.OLSConfig{}).
-		Owns(&appsv1.Deployment{}, generationChanged).
+		Owns(&appsv1.Deployment{}).


@sriroopar Why are we removing the Predicate part of this change ?

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Sep 23, 2025

openshift-ci bot requested review from bparees and xrajesh September 23, 2025 19:01

sriroopar force-pushed the postgres-cert-rotation branch 2 times, most recently from 02cf600 to 3162eff Compare October 1, 2025 12:58

openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 13, 2025

sriroopar force-pushed the postgres-cert-rotation branch from 6b9f4af to ca97db2 Compare October 13, 2025 17:25

openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 13, 2025

sriroopar force-pushed the postgres-cert-rotation branch from 439a87e to ca97db2 Compare October 13, 2025 17:36

openshift-merge-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Oct 13, 2025

sriroopar force-pushed the postgres-cert-rotation branch from 4f9c62c to ca97db2 Compare October 13, 2025 18:04

openshift-merge-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Oct 13, 2025

sriroopar force-pushed the postgres-cert-rotation branch from 7bfce63 to e1f4b37 Compare October 13, 2025 20:01

openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 13, 2025

sriroopar force-pushed the postgres-cert-rotation branch from e1f4b37 to 07eb78c Compare October 13, 2025 20:17

openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 13, 2025

sriroopar force-pushed the postgres-cert-rotation branch from 07eb78c to 3aa1f4a Compare October 13, 2025 20:21

sriroopar force-pushed the postgres-cert-rotation branch from 3aa1f4a to c516853 Compare October 13, 2025 20:22

sriroopar force-pushed the postgres-cert-rotation branch from c516853 to cf657e5 Compare October 13, 2025 21:02